Azure Governance
Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.
More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.
Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups
-
Azure Policy - Compliance Overview & Non-Compliant Resources Details
On the "non-compliance resources" view and also the detailed "resource compliance" blade need to show more details on the policy rule that was not compliance (e.g. what field, expected values, actual values)
For example, if I have a policy that checks for a tag existence, which has a parameter of tagName, then have an initiative which has that policy linked 4 times with different tagName parameters, you can't tell which is which or what the actual values of the resource evaluated were.
5 votes -
Blueprints and ARM Complete mode
Today, without the ability to specify complete mode deployments, we struggle undoing items from ARM templates. As blueprints change over time, would make our lives much easier if we didn't need to drop into Azure CLI or REST to undo changes
https://github.com/neilpeterson/azure-blueprints-pipeline-tasks/issues/66
4 votes -
Allow for blueprint access on management groups without seeing all other subscriptions beneath it
We want to give access to blueprints on management groups without the user seeing all other subscription below that management group.
4 votes -
Grafana plugin for Resource Graph
We love the Grafana plugins for Log Analytics, Appinsights, ADE. Can we see a plugin for Azure Resource Graph next?
4 votesYou can use Resource Graph Explorer in the Azure Portal to do queries and save and pin to your Azure dashboard. Would this serve your scenario.
-
Include expanded instance view information into virtual machines response
It would be very useful to include
properties.instanceViewinto base response for 'Microsoft.Compute/virtualMachines'. It's not efficient enough to get instance statuses for each machine in separate API call. Moreover I didn't find an ability to retrieve this property via GraphAPI at all.4 votes -
Support Optional Blueprint Parameters
Currently, all Blueprint Parameters require a value to be entered. Please support optional parameters for Blueprints. There are numerous use cases for this:
- Deploy a VM standalone or in an Availability Set.
- Add additional tags to resources.
- And so on...
4 votes -
Blueprint Parameters Validation
Currently the only Blueprint Parameter validation properties that are accepted is "defaultValue" and "allowedValues". Please add the following that are supported by ARM Template Parameters and would provide a much better experience for an Blueprint Assigner:
- minValue
- maxValue
- minLength
- maxLength
More information about the above properties can be found here: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates#parameters
4 votes -
Allow use of resourceGroup() functions within a resource group artifact
When using an ARM template artifact within a resource group artifact, allow us to use the resourceGroup() functions, like respourceGroup().location. Currently, we receive the error: Error: 'The function 'resourceGroup' is not valid.'
4 votesWe are working on a fix to make sure all ARM template functions work if they are deployed by a blueprint
-
Add Microsoft.Compute/Disks.managedby as a policy alias
Please add Microsoft.Compute/Disks.managedby as a valid policy alias, in order to audit unattached disks as non-compliant resources
4 votes -
Azure Policy : Need to see compliant ressources (not only not-compliant)
HI,
When setting up Azure Policy, compliant policy just display non-compliant ressources.
It could be give some confusion for Policy Manager if our custom policy is really working. Best way that I found, is to create a new ressource without attended settings, then check later (if audit mode) if this ressources is show as non compliant, then change the settings for check if now I've 0 non-compliant ressources.
For to be more quick in deploying azure policy rules, just a tab for show all compliant ressources, could be useful.
Extra question : when having not conpliant based on field, to…
4 votes -
Allow assign Azure policies on all subscription under EA portal
Now policies can be assigned on a subscription/resource group/resources level.
But my customer want to assign policies once on all subscriptions under EA portal or at least on department level4 votes -
I want to prevent a single person being able to delete resources or resource groups without a second person having approved the change.
I was wondering if it possible to have some kind of workflow for managing resources in Microsoft Azure. My goal is to have two persons having to agree on certain actions in Resource Manager. I want to prevent a single person being able to delete resources or resource groups without a second person having approved the change.
Is it possible to have something like this in Azure?
4 votes -
Ability to query budget and forecast in Azure Resource Graph
Please add the ability to query budget and forecast in Azure Resource Graph. This will allow the creation of dynamic and filterable cost management dashboards
3 votes -
Improve CIS Blueprints for subnet NSGs and/or clarify documentation
CIS Blueprint policy says subnet does not have an NSG, but the portal and az CLI say it does. The policy definition refers to Microsoft.Security/complianceResults and networkSecurityGroupsOnSubnets which are not documented.
3 votes -
Include core counts for VMs for the purpose of cross-joins with other data
It would be great to have some of other meta data exposed within Resource Graph. More specifically a way to get the number of cores that a VM size has. This would be valuable for queries to show the total number of cores that are used. Right now, we have to export out the results of the Resource Graph and convert the VM SKU to the number of cores outside of Resource Graph. Having it within the Resource Graph would allow us to do joins within our queries to get a single report with all of the information that we…
3 votes -
Create additional policy condition of 'inCaseSensitive' to validate case-senstive match in the Array
Request to have the policy condition similar to 'in' for an Array to have an additional policy condition of 'inCaseSensitive' (or similar) to validate the value in the array is an exact, case-sensitive match.
3 votes -
Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.
Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.
3 votes -
Make tag-values immutable (perhaps via Blueprint Locks)
We are using tags a lot to organize our ressources. That's why we have some hundred values for one key.
as deployers tend to do mistakes like typos we would be glad if tag-values could be predeployed and afterwards made immutable e.g. by using a blueprint and locking them. Another approach for the source of truth could be a storage table, or database.
Like that no addition, duplicates, typos etc. could be created.3 votes -
Support conditions on artifact level
It would be very nice when conditions attribute can be set on a artifact like it could on resources in an ARM template. So it would be possible to deploy or not deploy artifacts based on parameter inputs or outputs from an ARM.
Example use case:
Blueprint creates a vNet and an AKS cluster. Then you configure an ingress controller on AKS and after that a new NSG should be deployed which locks down the vNet so only the LB of the Ingress Controller is reachable. This can be done by update the blueprint assignment and specify a parameter like…3 votes -
Ability to query for custom role definitions in Azure Resource Graph
Please add support for listing all custom role definitions
Resource Type: Microsoft.Authorization/roleDefinitions
https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2017-09-01/roledefinitions
3 votes
- Don't see your idea?